From febcacd87fee0097c9fcc202ccc475aaf09b48fc Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Fri, 5 Feb 2021 17:00:52 -0800 Subject: [PATCH 1/7] Added test case to verify ebtables rules. Signed-off-by: Abhishek Dosi --- tests/cacl/test_ebtables_application.py | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 tests/cacl/test_ebtables_application.py diff --git a/tests/cacl/test_ebtables_application.py b/tests/cacl/test_ebtables_application.py new file mode 100644 index 00000000000..72b39cd3c7c --- /dev/null +++ b/tests/cacl/test_ebtables_application.py @@ -0,0 +1,42 @@ +import pytest +from tests.common.helpers.assertions import pytest_assert + +logger = logging.getLogger(__name__) + +pytestmark = [ + pytest.mark.disable_loganalyzer, # disable automatic loganalyzer globally + pytest.mark.topology('any') +] + +def generate_expected_rules(duthost): + ebtables_rules = [] + # Default policies + ebtables_rules.append("-d BGA -j DROP") + ebtables_rules.append("-p ARP -j DROP") + ebtables_rules.append("-p 802_1Q --vlan-encap ARP -j DROP") + return ebtables_rules + + +def test_ebtables_application(duthosts, rand_one_dut_hostname): + """ + Test case to ensure ebtables rules are applied are corectly on DUT during init + + This is done by generating our own set of expected ebtables + rules based on the DuT's configuration and comparing them against the + actual ebtables rules on the DuT. + """ + duthost = duthosts[rand_one_dut_hostname] + expected_ebtables_rules = generate_expected_rules(duthost) + + stdout = duthost.shell("sudo ebtables -L FORWARD")["stdout"] + ebtables_rules = stdout.strip().split("\n") + + actual_ebtables_rules = [rule.strip() for rule in ebtables_rules if rule.startswith('-')] + + # Ensure all expected ebtables rules are present on the DuT + missing_ebtables_rules = set(expected_ebtables_rules) - set(actual_ebtables_rules) + pytest_assert(len(missing_ebtables_rules) == 0, "Missing expected ebtables rules: {}".format(repr(missing_ebtables_rules))) + + # Ensure there are no unexpected ebtables rules present on the DuT + unexpected_ebtables_rules = set(actual_ebtables_rules) - set(expected_ebtables_rules) + pytest_assert(len(unexpected_ebtables_rules) == 0, "Unexpected ebtables rules: {}".format(repr(unexpected_ebtables_rules))) From a6d5c16b2ab95f6df6923823541fa49d90bf5940 Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Wed, 27 Oct 2021 16:24:36 -0700 Subject: [PATCH 2/7] Fix to avoid overlap of Front Port Channel and Internal Pot Channel Signed-off-by: Abhishek Dosi --- ansible/templates/minigraph_dpg_asic.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/templates/minigraph_dpg_asic.j2 b/ansible/templates/minigraph_dpg_asic.j2 index ceca239598e..44e89c532ab 100644 --- a/ansible/templates/minigraph_dpg_asic.j2 +++ b/ansible/templates/minigraph_dpg_asic.j2 @@ -95,7 +95,7 @@ {% if 'port-channel' in vm_topo_config['vm'][vms[index]]['ip_intf'][dut_index|int]|lower %} {% set port_channel_intf=';'.join(vm_asic_ifnames[vms[index]]) %} - PortChannel{{ ((index+1)|string).zfill(2) }} + PortChannel{{ ((index+1)|string).zfill(4) }} {{ port_channel_intf }} @@ -142,7 +142,7 @@ {% if 'port-channel' in vm_topo_config['vm'][vms[index]]['ip_intf'][dut_index|int]|lower %} - PortChannel{{ ((index+1) |string).zfill(2) }} + PortChannel{{ ((index+1) |string).zfill(4) }} {% else %} {{ front_panel_asic_ifnames[vm_topo_config['vm'][vms[index]]['interface_indexes'][dut_index|int][0]] }} {% endif %} @@ -151,7 +151,7 @@ {% if 'port-channel' in vm_topo_config['vm'][vms[index]]['ip_intf'][dut_index|int]|lower %} - PortChannel{{ ((index+1) |string).zfill(2) }} + PortChannel{{ ((index+1) |string).zfill(4) }} {% else %} {{ front_panel_asic_ifnames[vm_topo_config['vm'][vms[index]]['interface_indexes'][dut_index|int][0]] }} {% endif %} From fe770ed4d6a8d7265e70df8f1bf5dc3576b762dc Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Fri, 4 Aug 2023 22:53:08 +0000 Subject: [PATCH 3/7] Increase wait time for link up post config reload/minigraph for modular chassis Signed-off-by: Abhishek Dosi --- tests/common/config_reload.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/common/config_reload.py b/tests/common/config_reload.py index b69a3f73c02..5df6f7c50d5 100644 --- a/tests/common/config_reload.py +++ b/tests/common/config_reload.py @@ -141,7 +141,8 @@ def _config_reload_cmd_wrapper(cmd, executable): "PFC_WD is missing in CONFIG-DB") if check_intf_up_ports: - pytest_assert(wait_until(300, 20, 0, check_interface_status_of_up_ports, sonic_host), + link_up_wait_time = 360 if modular_chassis else 300 + pytest_assert(wait_until(link_up_wait_time, 20, 0, check_interface_status_of_up_ports, sonic_host), "Not all ports that are admin up on are operationally up") else: time.sleep(wait) From d044f9ff63311496ebf79e343ebf4f73986e7083 Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Tue, 14 Nov 2023 10:26:51 +0000 Subject: [PATCH 4/7] ignore ttl check not using the correct ip header for outer ipv4 and inner ipv6 test case Signed-off-by: Abhishek Dosi --- ansible/roles/test/files/ptftests/py3/hash_test.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/test/files/ptftests/py3/hash_test.py b/ansible/roles/test/files/ptftests/py3/hash_test.py index d6a6e2b66e0..2b1fb6fbcd9 100644 --- a/ansible/roles/test/files/ptftests/py3/hash_test.py +++ b/ansible/roles/test/files/ptftests/py3/hash_test.py @@ -388,7 +388,8 @@ def check_ipv6_route(self, hash_key, src_port, dst_port_lists): masked_exp_pkt.set_do_not_care_scapy(scapy.Ether, "dst") # mask the chksum also if masking the ttl if self.ignore_ttl: - masked_exp_pkt.set_do_not_care_scapy(scapy.IPv6, "hlim") + masked_exp_pkt.set_do_not_care_scapy(scapy.IP, "ttl") + masked_exp_pkt.set_do_not_care_scapy(scapy.IP, "chksum") masked_exp_pkt.set_do_not_care_scapy(scapy.TCP, "chksum") masked_exp_pkt.set_do_not_care_scapy(scapy.Ether, "src") From 23f06858ca5d65b66c4b87a3ae8f75e9d9054583 Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Tue, 14 Nov 2023 10:32:44 +0000 Subject: [PATCH 5/7] Revert "Increase wait time for link up post config reload/minigraph for modular" This reverts commit fe770ed4d6a8d7265e70df8f1bf5dc3576b762dc. --- tests/common/config_reload.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/common/config_reload.py b/tests/common/config_reload.py index 13977ecb723..4f2159b897b 100644 --- a/tests/common/config_reload.py +++ b/tests/common/config_reload.py @@ -148,8 +148,7 @@ def _config_reload_cmd_wrapper(cmd, executable): "PFC_WD is missing in CONFIG-DB") if check_intf_up_ports: - link_up_wait_time = 360 if modular_chassis else 300 - pytest_assert(wait_until(link_up_wait_time, 20, 0, check_interface_status_of_up_ports, sonic_host), + pytest_assert(wait_until(300, 20, 0, check_interface_status_of_up_ports, sonic_host), "Not all ports that are admin up on are operationally up") else: time.sleep(wait) From 4ce6724b04a523bd500752c1023367a78411cead Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Tue, 14 Nov 2023 10:41:36 +0000 Subject: [PATCH 6/7] Revert "ignore ttl check not using the correct ip header for outer ipv4 and" This reverts commit d044f9ff63311496ebf79e343ebf4f73986e7083. --- ansible/roles/test/files/ptftests/py3/hash_test.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/roles/test/files/ptftests/py3/hash_test.py b/ansible/roles/test/files/ptftests/py3/hash_test.py index 2b1fb6fbcd9..d6a6e2b66e0 100644 --- a/ansible/roles/test/files/ptftests/py3/hash_test.py +++ b/ansible/roles/test/files/ptftests/py3/hash_test.py @@ -388,8 +388,7 @@ def check_ipv6_route(self, hash_key, src_port, dst_port_lists): masked_exp_pkt.set_do_not_care_scapy(scapy.Ether, "dst") # mask the chksum also if masking the ttl if self.ignore_ttl: - masked_exp_pkt.set_do_not_care_scapy(scapy.IP, "ttl") - masked_exp_pkt.set_do_not_care_scapy(scapy.IP, "chksum") + masked_exp_pkt.set_do_not_care_scapy(scapy.IPv6, "hlim") masked_exp_pkt.set_do_not_care_scapy(scapy.TCP, "chksum") masked_exp_pkt.set_do_not_care_scapy(scapy.Ether, "src") From 823eef48794f165303f84770a360899e81704a87 Mon Sep 17 00:00:00 2001 From: Abhishek Dosi Date: Tue, 14 Nov 2023 11:00:54 +0000 Subject: [PATCH 7/7] macsec port channel workaround to remove/add member port applies only for dnx platforms. Signed-off-by: Abhishek Dosi --- tests/macsec/macsec_config_helper.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tests/macsec/macsec_config_helper.py b/tests/macsec/macsec_config_helper.py index 620ba150699..e1271b64643 100644 --- a/tests/macsec/macsec_config_helper.py +++ b/tests/macsec/macsec_config_helper.py @@ -93,14 +93,17 @@ def enable_macsec_port(host, port, profile_name): return pc = find_portchannel_from_member(port, get_portchannel(host)) - if pc: + + dnx_platform = host.facts.get("platform_asic") == 'broadcom-dnx' + + if dnx_platform and pc: host.command("sudo config portchannel {} member del {} {}".format(getns_prefix(host, port), pc["name"], port)) time.sleep(2) cmd = "sonic-db-cli {} CONFIG_DB HSET 'PORT|{}' 'macsec' '{}'".format(getns_prefix(host, port), port, profile_name) host.command(cmd) - if pc: + if dnx_platform and pc: time.sleep(2) host.command("sudo config portchannel {} member add {} {}".format(getns_prefix(host, port), pc["name"], port)) @@ -116,14 +119,16 @@ def disable_macsec_port(host, port): return pc = find_portchannel_from_member(port, get_portchannel(host)) - if pc: + dnx_platform = host.facts.get("platform_asic") == 'broadcom-dnx' + + if dnx_platform and pc: host.command("sudo config portchannel {} member del {} {}".format(getns_prefix(host, port), pc["name"], port)) time.sleep(2) cmd = "sonic-db-cli {} CONFIG_DB HDEL 'PORT|{}' 'macsec'".format(getns_prefix(host, port), port) host.command(cmd) - if pc: + if dnx_platform and pc: time.sleep(2) host.command("sudo config portchannel {} member add {} {}".format(getns_prefix(host, port), pc["name"], port))